Category Archives: Payment News

Two week ago I made of few predictions for Payment Systems in 2009 ( you can read that post here) Here are the two that I can cross off and pat myself on the back for.

Gift Cards: You or someone that you know will have a gift card, merchandise credit/refund card for a merchant that is no-longer is business in 2009. Gift givers will take note of this and consider giving cash rather then gift cards in holiday 2009 season.

From the Circuit City website: Circuit City would like to thank all of the customers who have shopped with us over the past 60 years. Unfortunately, we announced on January 16, 2009, that we are going out of business.

Will Circuit City stores continue to accept Circuit City GIFT CARDS?

Yes, customers holding Circuit City gift cards may redeem them at full value at our stores during the liquidation sales. Once the stores are closed and the company is out of business, the gift cards will have no value.

PCI Data Security Breaches: There will be data breaches of cardholder data in 2009. We will see more innovative attacks that replace those that were effective before PCI compliance was a wide spread. Even organizations that are validated "PCI Compliant" will not be exempt. We will see attacks that adapt and change around current PCI Controls.

I blogged about Heartland Payment Systems here and shared my thoughts on the situation here, Yes this breach was at a PCI Compliant and Validated service provider, and the attack appeared to be one that was sophisticated and adapted around the current PCI Controls.

You should all be aware of the Heartland Payment Systems Breach that happened on Inauguration day – had it been a different day it would be a front page story, perhaps it will be a front page story today? This post is to share my thoughts (that are speculation) based on my experience in payment systems and security rather than to re-hash the Heartland Press Release.

Let the pundits come: I can hear it now, "Was Heartland PCI Compliant ?" (They were/are btw, the QSA was Trustwave and they are listed as a compliant service provide dated April 30th, 2008) If they were PCI compliant how did a breach occur ? It is important to note (again, and again) that Compliance != Security. Compliance is a snapshot in time, PCI is not based on an organization’s own risk assessment of their environment. It is a prescriptive list of general IT Controls to be used as a baseline for "better" security then those organizations that are not compliant with the intent of reducing the risk of breaches. But you can be compliant and not secure, security is a process and constantly striving towards that end (it is like driving to infinity you never get there), is the goal, not compliance itself. I also expect to see merchants use this as an excuse — why are we spending all of this money for PCI complaint when attackers can successfully attack Processors anyway?

Processors and Service Providers are Fort Knox: Processors process for thousands of merchants and handle a large volume of transactions. Processors are in the business of processing card data, they require card numbers to communicate over the payment systems interchange networks as well as to provide settlement, clearing , and authorization files (among others) — The data of these files and message formats have account numbers, track data, cvv2 data (only the authorization messages include the last two) in the clear -but transmission is typically over a private leased line, use file level encryption, or transport level encryption, but there is a place in the "PCI-ZONE" of companies that sends this data in clear across the network – making sniffing the traffic a threat here. Can this be further controlled by further network segmentation and control at processors? I think so (topic of another post). Only the Payment Switch would need to have direct connections to these end-points not the full PCI-Zone.

Blame the QSA: Nobody has blamed the QSA yet, and I don’t know if anyone will, but I’m sure someone will try to; when breaches occur they are going to be asked what they missed ? What does that mean for QSA’s or IT auditors ? How do your work papers look ? Can a independent third party look at your work papers as evidence and come to the same conclusion as you? Did you test to the control or did you test something else ? Did you understand intent of the control ?

Issuing Banks: You don’t get to hear much of the story about the burden on Issuing Banks here. They have the cost of notifying cardholders, postage expense, customer service calls, brand perceptions problems due to confused customers, costs to reissue cards, etc. This includes both credit, debit, payroll, gift and others.

Press Release: Two things that got me about the Press Release, one was its timing, which may or may not be a coincidence, and the second was the focus was on the data that was not compromised, not the data that was. Like why not add: The cardholders’ favorite colors and cereals were also not compromised Account Numbers, Expiration Date and Track Data (Track 1 contains Name, Track 2 doesn’t) were compromised, cloned cards can be made from these "dumps" of magstripe data.

PCI Compliance: Remember that Service Providers and Processors where the very first to be scrutinized under Visa’s CISP and MasterCard’s SDP programs, and later PCI. The truth is that many processors and gateways should have close to 5 years or so of experience with PCI compliance and reviews if they are not a new service provider. Also: If you ever read through some of the actual audit procedures of PCI – notice what the auditors actually test: some tests are just based on Inquiry or documentation alone, furthermore some tests that do not test the operating effectiveness of some of these controls to a period of time.

Cost of the Breach: Anything that you hear is a guess – nobody knows for sure– (Well the card brands and affected issuers probably will) – we know that Heartland does 100 million in volume a month, and can safely assume that data was sniffed for a few months (some reports it as in place as early as May 2008) — we don’t know the unique number of card numbers nor do we know which card numbers are affected. I would guess around $600 million – based on cost of record at ~$6.00 and assuming 100 million unique card numbers were affected.

How did it Happen: Let’s look at the PR:

" After being alerted by Visa® and MasterCard® of suspicious activity surrounding processed card transactions, Heartland enlisted the help of several forensic auditors to conduct a thorough investigation into the matter. Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network."

There really isn’t enough information here but let’s make an educated guess: We know that malware/software was installed. So we have the threat of physical security/social engineering that would install a piece of software, an OS or Application level attack, or a targeted piece of malware that was installed in the PCI Zone accidentally. Perhaps a combination of some of these. This type of Malware (sniffers) requires administrator system or root level access in order to sniff network traffic in promiscuous mode (in most cases.) There are ways to flood network switches to make them act as a hub to broadcast traffic, and there are also VLAN hopping attacks.

PCI 1.2.1 / 1.3.5

Let’s look at PCI 1.2.1:

"Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment"

and PCI 1.3.5

"Restrict outbound traffic from the cardholder data environment to the Internet such that outbound traffic can only access IP addresses within the DMZ"

So the data would need to be collected and re-transmitted to a drop site, the drop site was probably actually multiple drop sites, and I’m guessing a well known outgoing port such as 443/SSL was used with encrypted payloads. These two PCI controls are intended to prevent outbound access from the cardholder environment, did these systems have outbound Internet access ? or if they did was it controlled ? and if it was controlled was it able to pass though the allowed outgoing traffic ?

Anti-Virus / Firewalls / Encryption: These are terms that are used to define ones security, Security is not a product – But let’s look at each of these briefly:

Anti-Virus – The effectiveness of Anti-Virus is poor, if you are familiar with services such as VirusTotal or have read something like this <– This is why not all malware can be detected by Anti-Virus.

Firewalls – I swear I think people think that firewalls are magic devices — Hollywood and TV Land don’t really help here either. Understand what a firewall does – it works at the network layer and can either allow or block IP Address or ranges and port numbers, that is basically all they do. Granted, Application level firewalls and Web Application Firewalls can inspect the content of the traffic (I’m not talking about these)

Encryption: There are different types of encryption, each protects different things in different ways.So you you say something to the effect of:

"We have industry leading encryption"

Are you talking about File Level Encryption ? Disk Encryption (which only works at data at rest), Transport encryption, encrypted data elements or application level encryption, column level or transparent encryption in a database ? Understand that Encryption is not Encryption is not Encryption. For example using a product to encrypt a disk to store data at rest, does not provide encrypted data elements and transport level encryption. And lastly End-to-End Encryption solutions would not of prevented this either: see my post here: When End-to-End Encryption is really not End-to-End.

I got out my Crystal Ball and Tarot Cards out and thought it would be fun to share some 2009 Payment Systems Predictions.

Here they are in no particular order:

Reduction of number of Stores for retailers:"The Economy" will not be kind to retailers and speciality shops in 2009. We will see stores closing; as the economy expanded retailers expanded, and the inverse will be true. This means that companies will be looking to the expense side and looking for innovative ways to reduce operating costs that have a fast ROI and payback. This will be in systems and back-office standardization and migration from expensive legacy platforms and large maintenance agreements. Decrease in jobs means decrease in spending. Any governmental based stimulus program needs to ensure that monies provided for "kick-starting" the economy are controlled in a manner that they are spent and not saved or used to pay down existing debt.

Gift Cards: You or someone that you know will have a gift card, merchandise credit/refund card for a merchant that is no-longer is business in 2009. Gift givers will take note of this and consider giving cash rather then gift cards in holiday 2009 season.

Issuing Banks: When the "times were good" people could live with negative savings rate, and see the value of their home increase, this increasing equity plus mortgage refinances allowed people to live beyond their means. Many consumers’ behaviors will not change, and we will see a run up of credit card debt. Credit Card Issuers will be trying to mitigate this risk, and will reduce credit lines, increase fees and rates, and be more restrictive in their underwriting processes. For some issuing banks we may see similar bailouts to that of mortgage companies and consumers are unable to pay.

Interchange Rates: There will be continued pressure by merchants to the Card Brands to lower interchange rates, and Issuers lobbing to increase them to cover increased losses on bad debt. Alternative payment structures and card types and acceptance and Cash Discounts will be offered to consumers and driven by merchants to reduce cost of accepting payments.

End-to-End Encryption: We will continue to see a proliferation of "End-to-End" encryption options that are based on or mirror Mag Tek’s MagneSafe offering – More Terminal Manufactures will be using capable devices, and payment gateways solutions here as well. PCI Council with notice this and consider making this a requirement in a future version of the PCI DSS.

PCI Data Security Breaches: There will be data breaches of cardholder data in 2009. We will see more innovative attacks that replace those that were effective before PCI compliance was a wide spread. Even organizations that are validated "PCI Compliant" will not be exempt. We will see attacks that adapt and change around current PCI Controls.

Mobile Payments: 2009 will be the year of push of mobile payments, with many new entries in this space and those fighting for mass acceptance. The contact-less infrastructure that has been put in place will be used and leveraged by mobile phones at card acceptor locations using Near Field Communication (NFC).

Cloud Computing / Hosted Payments Platforms: 2009 will see more applications that are typically ran in the back-office of certain types of companies to the "cloud" – the proliferation of virtualization and commodity servers allowing this, and Amazon EC2, Microsoft Azure and others including vendors that provide cloud based access to their software solutions. IT Security Buffs and PCI Auditors will debate PCI and Cloud Computing.

We see a P2P like money transfer service for card and mobile phone holders:

Under a pilot program with U.S. Bank, which is scheduled to begin by the end of the year, Visa will offer mobile money transfers from one Visa cardholder’s account to another. A U.S. Bank Visa cardholder would use a Web browser on their phone to access funds and transfer it directly to the recipient’s account. The recipient could then withdraw the funds from an ATM machine, or use the money to make purchases.

and working will cell phone manufactures Google Android Platform.

The Visa-Android deal calls for Chase Visa cardholders to use their Android phone for not only transferring money, but also to receive real-time email alerts when transactions happen on their Visa account, receive offers from merchants, and view images on Google maps to find the location of those merchants who are offering the specials. The Google-Visa deal is expected to begin sometime by the end of the year.

and we begin to see the merging between the card and a phone as a contact-less payment vehicle at the point-of-sale.

The Nokia 6212 classic includes integrated Near-Field Communications chipsets (NFC) which lets the mobile device behave like a contactless payment card, where consumers simply wave it within a few inches of a special point of sale reader to complete a Visa transaction. Nokia and Visa first demonstrated NFC technology in December 2005 with the launch of the first large scale NFC trial in the United States at the Phillips Arena in Atlanta.

“The government said the Dave & Buster’s hackers illegally accessed 11 of the national chain’s servers and installed packet sniffers at each location. The sniffers vacuumed up “Track 2″ data from the credit card magstripes as it traveled from the restaurant’s servers to Dave & Buster’s headquarters in Dallas, according to the indictment.”

In my post titled, “Encrypted Traffic from within the PCI Zone” I discuss that we have adapted OLS.Switch‘s point-of-sale (POS) TCP/IP interface to accept POS payment messages across the store’s PCI Zone (Protected network zone where CC Data would transverse) but include an encrypted account number field or data element instead of the clear text PAN (Primary Account Number), in the PAN field. So this would act as a deterrent to network sniffing

That being said — it appears that there was a lack of montioring or mis-configuration or lax physical security around the POS, wiring closet, and network cable runs.

Again: I wouldn’t be surprised that if in future revisions of the PCI DSS – traffic from POS systems on private networks will be required to be transport encrypted in a tunnel or require encrypted fields/data elements.

BTW, Dave & Busters does have a pretty cool private stored value system and game card that you place in their games inorder to play and reload to play more.

EDIT: CIO has an article here: This is probably the best quote from the article.

Unfortunately for the criminals, Gonzalez’s code had some problems

In April 2007 it bombed its first test, on a point-of-sale server at the Dave & Buster’s in Arundel, Maryland. “The packet sniffer malfunctioned … and no credit or debit card account information was captured, ” Lynch said.

Even when the packet sniffer worked, the hackers were forced to keep returning to the Dave & Buster’s network and restarting their malicious software, Lynch said. A bug in the packet sniffer caused it to shut down whenever the computer it was monitoring rebooted.